The National Institutes of Science and Technology (NIST) Information Technology Laboratory not too long ago launched steering entitled “Software Supply Chain Security Guidance,” in response to directives set forth in President Biden’s Executive Order 14028—Improving the Nation’s Cybersecurity.
The steering refers to present business requirements, instruments, and really helpful practices that had been beforehand revealed by NIST in SP800-161 “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” It is designed for federal companies that “acquire, deploy, use, and manage software from open source projects, third-party suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers,” however is actually relevant and useful to any group grappling with handle third-party software program vulnerabilities after the SolarWinds incident.
The steering walks readers via software program cybersecurity for producers and customers utilizing the safe software program growth framework and the method by which NIST gathered evolving requirements, instruments, and really helpful practices to deal with software program provide chain safety. The really helpful practices embrace:
- Ensuring that suppliers of software program services and products are capable of produce a Software Bill of Materials (SBOM)
- Enhanced Vendor Risk Assessments
- Implementing Open Source Software Controls
- Vulnerability Management
NIST publications provide related and simple to know cybersecurity steering. With the rise now we have seen in zero-day vulnerabilities and continued danger of assaults by Russia and China, it is a worthwhile and well timed learn.